tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: Guide to developing secure tomcat/jsp web apps - help ??
Date Thu, 02 Aug 2001 00:43:49 GMT
I read that article in JavaPro and many things weren't mentioned.
I don't think you will find any one source of information that covers
everything.

Another source of information regarding use of the Java SecurityManager
and some general rules for writing code for secure applications is at:

http://www.more.net/events/apachecon2001/

Regards,

Glenn

"Rob S." wrote:
> 
> I think that your question is really about server-side security for web apps
> in general.  All of your questions can apply to any web application
> regardless of technology being used (e.g. asp, dhp, cfm)
> 
> A good place to start would be Java Pro Magazine.  Two issues ago - cover
> page about securing server side in Java.  That's as good a place as any to
> start.
> 
> GL!
> 
> - r
> 
> > -----Original Message-----
> > From: Greg Callaghan [mailto:greg_callaghan@hotmail.com]
> > Sent: Wednesday, August 01, 2001 2:26 AM
> > To: tomcat-dev@jakarta.apache.org
> > Subject: Guide to developing secure tomcat/jsp web apps - help ??
> >
> >
> > Hi all,
> >
> > It would be very useful to have a checklist or guidelines to ensure a
> > JSP/tomcat web site one develops is secure, in particular for the
> > scenario
> > where the web application is not huge/complex &/or is developed
> > by part-time
> > developers.   That is I guess I'm generally asking for the easiest way of
> > ensuring one develops a secure JSP/tomcat app.
> >
> > Q1 - Does anyone know of a tutorial/checklist for ensuring a
> > JSP/tomcat web
> > app is secure?    The types of things I'm thinking of include the
> > following
> > items, which I've put forward as specific questions to the mail group in
> > their own right.
> >
> > Q2 - How do you ensure directory's under doc root can't be viewed?  (ie
> > users see a directory listings)
> > - is putting in an index.html in each sub-directory a solid answer?
> > - can this be handled in one hit via WEB.XML entries?  if so an
> > example if
> > possible?
> >
> > Above and beyond basic User Authentication checking (eg username/password
> > check at beginning of session) what is an easy but secure way of
> > checking -:
> >
> > Q3 check that user (ie specific) is allowed to access a specific
> > JSP page?
> > (assuming the web app is a totally JSP based solution, ie no controller
> > servlet frontend, ie and that all JSP pages are effectively
> > assessable under
> > docroot).    Easy way of doing this?
> > eg (a) put specific check at beginning of each JSP page?
> >    (b) other?
> >
> > and
> >
> > Q4 given that a user is allowed to access that JSP page, check that he is
> > allowed to view the data which he has requested?   (ie stop people
> > determining how the URL with parameters is constructed and
> > manually changing
> > the parameters - eg changing "http://www.test/test.jsp?id=3", manually
> > "http://www.test/test.jsp?id=4". Easy way of doing this?
> > eg (a) put specific check at beginning of JSP page?
> >    (b) other
> >
> > Q5 Is it generally acceptable, given appropriate precautions are
> > taken, to
> > setup a web site with all JSP files assessable under doc root,
> > and that the
> > manner in which the user navigates around the application is
> > based on direct
> > calls from the browser to the next JSP page with parameters?   (again one
> > concern I have is eg changing "http://www.test/test.jsp?id=3", manually
> > "http://www.test/test.jsp?id=4").     If this is not acceptable what is
> > recommended?
> >
> > (a) as above put a specific check at the beginning of the JSP page
> > (b) for example having to specifically put a controller servlet
> > as a front
> > end, and then direct to JSP pages which are hidden?
> > - in this case how can one hide specific directories under doc root?
> > (c) other??
> >
> > Q6. Regarding image security I assume one really does have to store them
> > outside doc root and develop a small "getImage" servlet so that
> > requests to
> > images can be verified to ensure that (assuming the app lets users load
> > images) the end user can't see another user's image?
> >
> > Q7. Any other general checklist items for a simple JSP/tomcat web site re
> > security one should check for???
> >
> >
> > Thanks in advance
> > Greg
> >
> >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> >
> >

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message